Forum Discussion
ASR rules and Cloud Delivered Protection
Does anybody have knowledge or link to more detail on how the ASR rule - ' Block executable files from running unless they meet a prevalence, age, or trusted list criterion' actually works ? I und...
Cloud protection is a must and the trust list is managed by Microsoft to determine the reputation of the exe. I doubt if this can function without internet access as true for most of the Defender real time components. Some more details are available in the FAQ here - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-faq?view=o365-worldwide#are-the-criteria-used-by-the-rule---block-executable-files-from-running-unless-they-meet-a-prevalence--age--or-trusted-list-criterion---configurable-by-an-admin-
- Thanks kind of what I thought, but wondered would an exe run if there was no internet access ( if it is blocked when there is internet access for example). Question being can you 'bypass' the block by disconnecting from the internet ( so the cloud cant check) run the exe, and then reconnect to the internet. I guess I can check this by trying 😉
The bigger question is, is it expected behaviour for an exe that is initially blocked ( a brand new just complied exe) to be allowed to run after some time after cloud has 'checked it'
